interesting , so can you share the conn profile that you have built in  srongswan?  dump out the ike details from ipsec.conf or swanctl 

I'm betting IKEv2 is not enabled and that might be part of the issue  but that easy to determine

Ken Felix

Here it is.

ipsec.conf

conn %default authby=never mobike=no closeaction=none dpdaction=hold dpddelay=30s dpdtimeout=150s inactivity=180 ikelifetime=3h keyexchange=ike keyingtries=3 lifetime=1h reauth=yes rekey=yes margintime=9m esp=sha1-aes256,sha256-aes256! ike=aes256-sha256-modp2048! forceencaps=no conn icmpv6 right=::1 # so this connection does not get used for other purposes leftsubnet=::/0[ipv6-icmp/%any] rightsubnet=::/0[ipv6-icmp/%any] auto=route type=passthrough conn 4.10-0-1-0.24.0.0 inactivity=3600 right=54.241.130.111 rightsubnet=10.0.1.0/24 leftauth=psk rightauth=psk leftsendcert=no rightsendcert=no rightid=%any type=tunnel auto=route

ipsec statusall dump

Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1127.8.2.el7.x86_64, x86_64): uptime: 20 hours, since Jun 23 12:47:13 2020 malloc: sbrk 1462272, mmap 0, used 343232, free 1119040 worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 sshkey pem openssl curve25519 xcbc hmac attr kernel-netlink socket-default stroke vici updown error-notify counters Listening IP addresses: 192.168.41.165 fd15:4ba5:5a2b:1002:ccae:9dbd:e1e4:1022 Connections: icmpv6: %any...::1 IKEv1/2, dpddelay=30s icmpv6: local: uses public key authentication icmpv6: remote: [::1] uses public key authentication icmpv6: child: ::/0[ipv6-icmp] === ::/0[ipv6-icmp] PASS, dpdaction=hold 4.10-0-1-0.24.0.0: %any...54.241.130.111 IKEv1/2, dpddelay=30s 4.10-0-1-0.24.0.0: local: uses pre-shared key authentication 4.10-0-1-0.24.0.0: remote: uses pre-shared key authentication 4.10-0-1-0.24.0.0: child: dynamic === 10.0.1.0/24 TUNNEL, dpdaction=hold Shunted Connections: icmpv6: ::/0[ipv6-icmp] === ::/0[ipv6-icmp] PASS Routed Connections: 4.10-0-1-0.24.0.0{2}: ROUTED, TUNNEL, reqid 2 4.10-0-1-0.24.0.0{2}: 192.168.41.165/32 === 10.0.1.0/24 Security Associations (0 up, 0 connecting): none

Strongwan set ikev2 as a default.

From my original post.

ike 0:d740acea5f4716a4/0000000000000000:4901: responder received SA_INIT msg ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type NAT_DETECTION_SOURCE_IP ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type NAT_DETECTION_DESTINATION_IP ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type FRAGMENTATION_SUPPORTED ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type SIGNATURE_HASH_ALGORITHMS ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type 16406 ike 0:d740acea5f4716a4/0000000000000000:4901: ignoring unauthenticated notify payload (16406) ike 0:d740acea5f4716a4/0000000000000000:4901: incoming proposal: ike 0:d740acea5f4716a4/0000000000000000:4901: proposal id = 1: ike 0:d740acea5f4716a4/0000000000000000:4901: protocol = IKEv2: ike 0:d740acea5f4716a4/0000000000000000:4901: encapsulation = IKEv2/none ike 0:d740acea5f4716a4/0000000000000000:4901: type=ENCR, val=AES_GCM_16 (key_len = 128) ike 0:d740acea5f4716a4/0000000000000000:4901: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:d740acea5f4716a4/0000000000000000:4901: type=DH_GROUP, val=ECP256. ike 0:IKEv2: ignoring IKEv2 request, interface is administratively down

That is why Fortigate recognized as IKEv2.

And I hardcoded ikev2 like you suggested, it is still same.

With same setup IKEv1 works not IKEv2. So I don't doubt there is any need switch to dial up or from the scratch at this point.

I am suspicious that "type=PRF, val=PRF_HMAC_SHA2_256" strongswan adding in default will not matches to what Fortigate expected?

Or IKEv1 and IKEv2 configuration cannot coexists on the same port?

Like the fortigate ike1/ike2 is available  and can work on the same ports. That admin down seems to me that it or somebody thinks they are NOT enabled for IKE version 2. I see this a lot with firewall that does either of  the two version  and have ran into this on many occasions.

Here's an ideal , if do the config from a 2nd fortigate does the same error come up? has the strongswan side ever had a IKEv2 conn at any give time?

Do you have the means to plumb a simple  ikev2 gateway and connect to  the strongswan host ( i.e aws- or digitalocean and a linux vmguest )

When I have problems like this and do not have a lab gear, I stroke machine or even a virt-fortigate and run  series of testing to get to  the bottom of the issue. Also a pcap analyze will very helpful if you have not taken one. I would capture the ike datagrams between peers and then analyze them in wireshark. You can learn and witness a lot of details.

Ken Felix

Emoc.

Thank you so much for helping me.

I have a same setup against Cisco ASA, PAN and StrongSwan as well as Fortigate.

Cisco ASA, PAN and StrongSwan works. :)

The last pieces is Fortigate.

Bingo

keyexchange needs to be called out 

keyexchange = ikev2

here's a basic template of what I used PSk with set left/right ( local/remote ike-identity )

conn FGT100D fragmentation = yes keyexchange = ikev2 installpolicy = yes type = tunnel

# enable DPD optional but reccomended if tunnels comes up and drop disable DPD and # remonitor dpdaction = restart dpddelay = 10s dpdtimeout = 60s

# set ike/ph2 lifetimnes ikelifetime = 14400s lifetime = 3600s auto = add left = %defaultroute leftauth = psk leftid = @linux1@socpuppets.com right = x.x.x.x                                     # installed the public-address of FGThere rightid = @fgt200D@socpppets.com      # change this to match fgt ike-identiyt or using %any rightsubnet = 10.19.0.0/23 # match the subnets in the enc-domain leftsubnet = 10.18.20/24 ike = aes256-sha256-modp1536,aes256-sha1-modp1536! # proposals IKE esp = aes256-sha256,aes256-sha1! # proposal ESP

i would start with a basic cfg if your seeing problems and I personally ( nothing wrong with it ) hate multiple proposals for ph1/ph2 on site-2-site vpns

Dynamic dialup make sense but deterministic is better and easier to diagnose

Ken Felix